fix: configure basic ssh config file

jfroche · samrose · commit f5ce58df3531 · 2026-03-13T10:11:33.000-04:00
Enabling the nginx service in the system configuration was a good start,
but it had implications for the test suite verifying that the AMI was
correctly configured.

We change the configuration to set up a basic ssh config file that
matches the expected configuration for the AMI, and update the tests to
verify that the file is created with the correct content and
permissions.
diff --git a/nix/systemConfigs.nix b/nix/systemConfigs.nix
@@ -1,8 +1,8 @@
 { self, inputs, ... }:
 let
   mkModules = system: [
+    self.systemModules.ssh-config
     ({
-      services.nginx.enable = true;
       nixpkgs.hostPlatform = system;
     })
   ];
diff --git a/nix/systemModules/default.nix b/nix/systemModules/default.nix
@@ -1,14 +1,23 @@
 {
-  flake-parts-lib,
-  withSystem,
-  self,
   ...
 }:
 {
   imports = [ ./tests ];
   flake = {
     systemModules = {
-      nginx = flake-parts-lib.importApply ./nginx.nix { inherit withSystem self; };
+      ssh-config = {
+        environment.etc."ssh/sshd_config.d/local.conf" = {
+          text = ''
+            Match Address 127.0.0.1,::1
+              ForceCommand /bin/false
+              DisableForwarding yes
+              PermitTunnel no
+          '';
+          user = "root";
+          group = "root";
+          mode = "0644";
+        };
+      };
     };
   };
 }
diff --git a/nix/systemModules/tests/default.nix b/nix/systemModules/tests/default.nix
@@ -24,8 +24,12 @@
               machine.activate()
               machine.wait_for_unit("system-manager.target")
 
-              with subtest("Verify nginx service"):
-                  assert machine.service("nginx").is_running, "nginx should be running"
+              with subtest("Verify ssh config"):
+                  assert machine.file("/etc/ssh/sshd_config.d/local.conf").exists, "/etc/ssh/sshd_config.d/local.conf should exist"
+                  assert machine.file("/etc/ssh/sshd_config.d/local.conf").mode == 0o644, "/etc/ssh/sshd_config.d/local.conf should have mode 0644"
+                  assert machine.file("/etc/ssh/sshd_config.d/local.conf").user == "root", "/etc/ssh/sshd_config.d/local.conf should be owned by root"
+                  assert machine.file("/etc/ssh/sshd_config.d/local.conf").group == "root", "/etc/ssh/sshd_config.d/local.conf should be owned by root"
+                  assert machine.file("/etc/ssh/sshd_config.d/local.conf").contains("Match Address"), "/etc/ssh/sshd_config.d/local.conf should contain 'Match Address'"
             '';
           };
       };
